How to Setup, Manage, and Maintain WSUS: Part 3 – Windows as a Service (WaaS) and Group Policy Administrative Templates

Home Blog WSUS How to Setup, Manage, and Maintain WSUS: Part 3 – Windows as a Service (WaaS) and Group Policy Administrative Templates

Upgrades from WSUS

If you are going to handle upgrades from Windows 10 to Windows 10 latest streams in WSUS (eg, 1511 to 1607 or 1703 or 1709 or 1803) also known as Windows as a Service (WaaS), there are 3 things you need to do on Server 2012 or Server 2012 R2 (2016 has all of this taken care of already except some people have had to do #2). If you’ve followed my instructions from the start, you can skip number 3 as that’s already done.

  1. In Products/Classifications, make sure to check the Upgrades box or Windows 10 Upgrades will not be available to approve.
  2. You also will need to add a MIME type for *.esd as application/octet-stream at the top level in IIS.
    To do this: Open IIS Manager > Select the server name > From the “IIS” section in the centre of IIS Manager, open “MIME Types” > Click “Add…” >
    File Mame Extention: = .esd
    MIME type: application/octet-stream
  3. If you are using Server 2012 or Server 2012 R2, along your update path, you may or may not heard about the dreaded KB3159706 (https://support.microsoft.com/en-us/kb/3159706). While Microsoft has not officially superseded this update, from the feedback I’ve seen in the communities, the patches and fixes that this KB comes with has been included with the latest cumulative update for Server 2012 and Server 2012 R2. According to the KB Article, you now only need to run a single command (“C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing). If KB3159706 still applies to you and is installed, perform ALL OF THE STEPS BELOW including the ones for SSL (which is Microsoft’s best practice anyways; more on that in Part 7).

KB3159706 – Manual Steps – In case you still need them.

  1. Open PowerShell using ‘Run as administrator’
  2. Run wsusutil’s post install with the /servicing switch
    • “C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing
  3. Install the ‘HTTP Activation’ feature under .NET Framework 4.5 Features using an Administrative PowerShell prompt
    • Get-WindowsFeature -Name NET-WCF-HTTP-Activation45 | Add-WindowsFeature -Restart:$False -Verbose -Source ‘Windows Update’
  4. Open the web.config file and modify it
    • notepad ‘C:\Program Files\Update Services\WebServices\ClientWebService\Web.Config’
      Modify the config file to include the bolded lines
      <services>
      <service
      name=”Microsoft.UpdateServices.Internal.Client”
      behaviorConfiguration=”ClientWebServiceBehaviour”>
             <!–
             These 4 endpoint bindings are required for supporting both http and https
             –>
             <endpoint address=””
             binding=”basicHttpBinding”
             bindingConfiguration=”SSL”
             contract=”Microsoft.UpdateServices.Internal.IClientWebService” />
             <endpoint address=”secured”
             binding=”basicHttpBinding”
             bindingConfiguration=”SSL”
             contract=”Microsoft.UpdateServices.Internal.IClientWebService” />
      <endpoint address=””
      binding=”basicHttpBinding”
      bindingConfiguration=”ClientWebServiceBinding”
      contract=”Microsoft.UpdateServices.Internal.IClientWebService” />
      <endpoint address=”secured”
      binding=”basicHttpBinding”
      bindingConfiguration=”ClientWebServiceBinding”
      contract=”Microsoft.UpdateServices.Internal.IClientWebService” />
      </service>
      </services><serviceHostingEnvironment aspNetCompatibilityEnabled=”true” multipleSiteBindingsEnabled=”true” />
  5. Restart WSUS Services
    • Get-Service -Name WsusService | Restart-Service -Verbose
  6. Run a checkhealth with wsusutil to make sure WSUS is healthy
    • “C:\Program Files\Update Services\Tools\wsusutil.exe” checkhealth

Administrative Templates (.admx)

You will want to get the latest Administrative Templates (.admx) for Windows 10 which is located at:

https://support.microsoft.com/en-ca/help/3087759/

Install these Administrative Templates in your Central PolicyDefinitions folder on your Domain Controller. The best way to update them is to take a copy of the PolicyDefinitions folder and stick it in a temp folder for a backup of what is currently working. Then take the ADMX files and the language folder you’re using and copy/paste them into the PolicyDefinitions folder, overwriting files as required. Don’t worry, these Administrative Templates are inclusive of all the prior versions of Windows but now with updated descriptions and applies to fields that are actually very good and very accurate.

If for some reason you don’t have the Central Store, please set it up following the directions at the link above.

Share the Post

About the Author

Adam J. Marshall

Related Posts

How to Setup, Manage, and Maintain WSUS: Part 5 – Linking your GPOs – Inheritance is your friend!
How to Setup, Manage, and Maintain WSUS: Part 1 – Choosing your Server OS
PowerShell: Why should I learn it? Where do I start?
What do I do when I run out of space on a WSUS Server?
How to Setup, Manage, and Maintain WSUS: Part 4 – Creating your GPOs for an Inheritance Setup
Exchange Autodiscover – A Guide to Making Exchange Work Properly
How to Setup, Manage, and Maintain WSUS: Part 8 – WSUS Server Maintenance
Role Based Access Security